git-proxy icon indicating copy to clipboard operation
git-proxy copied to clipboard

Published 20 hours ago verified publisher icon finos

Investigate scanner-cli to provide password and (other) secrets scanning

Open maoo opened this issue 5 years ago • 2 comments

See https://github.com/hawkeyesec/scanner-cli

Scanner-cli provides a wide range of features; as a proof of concept, it is required to:

  • [ ] Add the scanner-cli depdendency
  • [ ] configure scanner-cli using .hawkeyerc and .hawkeyeignore
  • [ ] Create a check in git-proxy that invokes scanner-cli
  • [ ] Log and return results

maoo avatar Sep 19 '20 10:09 maoo

In addition to actually executing the secret scanning, git-proxy (via #47) can simply check that built-in GitHub secret scanning is enabled on the upstream repo before allowing a push to go forward. In combination with GitHub's push protection, this is a light-weight method for detecting secrets in source.

Many organizations have secrets such as LDAP credentials that do not get detected by the partner patterns so some extensibility is still needed and it makes sense to have another defensive layer to detect custom or in-house secrets via git-proxy.

coopernetes avatar Oct 07 '23 20:10 coopernetes

Love the idea, thanks @coopernetes !

It's worth mentioning that Goldman Sachs contributed to FINOS a secret scanning tool called CatchIT, see https://github.com/finos/catchit

maoo avatar Oct 08 '23 10:10 maoo